Security guides for
vibe-coded apps
May 9, 2026 · VibeWShield Team
Inngest Webhook Auth: When `event.key` Isn't Enough
Inngest signed webhooks are great — if you verify them. Vibe-coded handlers often trust the `event.key` field without checking the signature, and the whole workflow becomes callable by anyone.
May 3, 2026 · VibeWShield Team
Stripe Test Keys in Live Bundles — 30-Second Detection
Test-mode Stripe keys (sk_test_ / pk_test_) in a production bundle means your checkout never actually charges. A surprisingly common vibe-coded bug. Here's how to catch it.
May 3, 2026 · VibeWShield Team
QStash Tokens Leaked via NEXT_PUBLIC_ Prefix
Upstash QStash uses a bearer token for queue operations. Naming it `NEXT_PUBLIC_QSTASH_TOKEN` publishes it to every browser, and anyone can enqueue jobs — including paid ones.
May 3, 2026 · VibeWShield Team
Sanity Studio Open to the Public: 4-Step Lockdown
Sanity Studio auto-deploys to `/studio` and is publicly reachable unless you opt in to authentication. Here's the four-step checklist to lock it down and the tell-tale signs it's already compromised.
May 1, 2026 · VibeWShield Team
Next.js 15 Parallel Routes: The Authorization Gaps You Probably Have
Parallel routes render multiple pages at once. Your auth check runs on one of them. Guess what happens on the other.
May 1, 2026 · VibeWShield Team
Server Components + Suspense: Rendering User Data to Everyone
Suspense boundaries cache at the layout level by default. When you render personal data inside one, the HTML streams once and serves every viewer.
May 1, 2026 · VibeWShield Team
Supabase Realtime: When Anonymous Subscriptions Bypass Your RLS
Supabase Realtime subscriptions respect RLS — usually. Here are the three configurations where anonymous clients still receive row-level events they shouldn't see.
April 25, 2026 · VibeWShield Team
Neon Branch Passwords Committed to Git — A Full Audit
Neon creates a new Postgres branch per preview environment, each with its own connection string. AI tools love to commit `.env.preview.neon` to fix build errors. Here's how to reclaim them all.
April 25, 2026 · VibeWShield Team
shadcn/ui Components: Where User-Controlled HTML Sneaks In
shadcn/ui is copy-paste components, which means you own them — and any sanitization they miss. Here are the three props that vibe-coded apps pass user content to and regret.
April 25, 2026 · VibeWShield Team
Database Admin Ports Open on Production: The 10-Port Checklist
Drizzle Studio, Prisma Studio, pgAdmin, Adminer, phpMyAdmin, Hasura Console, Keystone Admin, Strapi, Directus, PocketBase. One port open = full database compromise.
April 25, 2026 · VibeWShield Team
Why We Built VibeWShield
Every week we were reviewing AI-generated apps with the same bugs — exposed Supabase keys, client-side admin checks, Server Actions that trust the client. Traditional DAST tools didn't care. So we built a scanner that does.
April 24, 2026 · VibeWShield Team
Cloudflare Workers: Bindings vs Env — Where Your Secret Actually Leaks
Cloudflare treats 'Environment Variables' and 'Secret Bindings' as different things. Vibe-coded Workers mix them up, and half the 'secret' values end up readable in the Worker's preview URL.
April 24, 2026 · VibeWShield Team
Convex Auth: 5 Mistakes AI Tools Keep Making in Your Queries
Convex's reactive model makes authorization hide in plain sight. Cursor / Claude scaffold queries without auth checks, and the whole app leaks user data by default. Here are the five patterns to fix.
April 24, 2026 · VibeWShield Team
Drizzle Kit Studio Exposed on Production: Silent Data Exfiltration
Drizzle Studio is a developer admin UI for your database. If your deploy pipeline accidentally ships it to prod, any visitor can read — and edit — every row.
April 21, 2026 · VibeWShield Team
What is VibeWShield? A 90-Second Explainer
VibeWShield is a free DAST scanner built specifically for apps generated by Cursor, Lovable, Bolt, Replit, and v0. Here's what it does, how it differs from traditional security tools, and why AI-generated code needs its own scanner.
April 21, 2026 · VibeWShield Team
Inside VibeWShield: 65+ Scanners, AI Chaining, and the Browser Pass
Under the hood, VibeWShield is a Python orchestrator coordinating 65+ concurrent scanners, a headless Chromium browser pass, Claude AI enrichment, and an agentic AI pentester. Here's how the pipeline actually works.
April 21, 2026 · VibeWShield Team
Your First VibeWShield Scan: A 5-Minute Walkthrough
What to expect from your first scan — choosing a mode, reading the results, and applying the fix prompts to your AI coding environment. Everything you need to go from 'scan started' to 'vulnerability patched' in one session.
April 21, 2026 · VibeWShield Team
Resend API Keys in Lead Forms: Why You Need to Rotate Them Tomorrow
Resend, the transactional email API, is one of the most-leaked secrets in 2026 vibe-coded apps. The contact-form pattern Lovable/Bolt generate puts the key in the client. Here's the audit.
April 21, 2026 · VibeWShield Team
Vercel's April 2026 Security Incident — What to Check in Your App Right Now
Vercel disclosed a security incident on April 19, 2026. If your vibe-coded app is hosted on Vercel, here are the five concrete checks to run today — and how VibeWShield surfaces them automatically.
April 21, 2026 · VibeWShield Team
Next.js Server Actions: Security Risks When Vibe-Coding
AI tools generate Server Actions with mass assignment vulnerabilities. Learn how attackers inject admin privileges and how to fix it with Zod validation.
April 21, 2026 · VibeWShield Team
Quick Scan: 40+ Security Checks in Under 3 Minutes
VibeWShield Quick Scan runs 40+ security checks against your web app in under 3 minutes. No account needed. Here's exactly what it covers and what it skips.
April 21, 2026 · VibeWShield Team
How ChatGPT and Claude Generate SSRF Vulnerabilities
AI often generates unsafe URL fetch code leading to Server-Side Request Forgery (SSRF). Learn why it happens and how to secure Next.js API routes.
April 21, 2026 · VibeWShield Team
Top 5 Security Vulnerabilities in AI-Generated Apps
AI coding assistants ship apps fast but create predictable security blind spots. The top 5 vulnerabilities in vibe-coded apps and how to fix each one.
April 21, 2026 · VibeWShield Team
tRPC Procedure Authentication: Why AI-Generated Code Leaks User Data
AI coding tools scaffold tRPC routers without auth middleware. See the exact pattern attackers use to read other users' orders, invoices and messages — and how to fix it in one line.
April 21, 2026 · VibeWShield Team
Hacking a "Vibe-coded" App in 15 Minutes: A Real Case Study
A step-by-step breakdown of how an attacker can find an exposed database port and a .env file in AI-generated code. Demonstrating the critical need for external DAST scanning.
April 21, 2026 · VibeWShield Team
Vibe-Coding SaaS Security: The Ultimate Pre-Launch Checklist
Before you launch that AI-generated SaaS on Product Hunt, run through this 5-minute security checklist to avoid massive data leaks.
April 21, 2026 · VibeWShield Team
Agentic Scan: Your AI Pentester Running an OODA Loop
Agentic Scan deploys Claude AI as an autonomous pentester. It reads your scan results, forms attack hypotheses, sends targeted probes, and reports what scanners miss.
April 21, 2026 · VibeWShield Team
Aggressive Mode: Testing What Others Won't Touch
Aggressive Mode unlocks state-changing security tests — file upload attacks, mass assignment, prototype pollution, and more. Here's what it does and why it's safe.
April 21, 2026 · VibeWShield Team
AI Chatbot Prompt Injection: 2026 Attack Patterns and Defense Playbook
Custom AI chatbots built with LangChain, Vercel AI SDK and the OpenAI API leak system prompts, tool secrets and user data daily. Here are the five prompt-injection patterns that work right now — and the defenses that actually hold.
April 21, 2026 · VibeWShield Team
Top 5 Automated Web Vulnerability Scanners (2026)
Comparing the best DAST scanners for Next.js, React, and GraphQL in 2026. Pricing, pros, cons, and which tool fits your team.
April 21, 2026 · VibeWShield Team
Bolt.new Security Audit: 7 Blind Spots in Every App You Ship
Bolt.new generates full-stack apps in minutes, but the default project template hides unsafe patterns. Here are the seven checks every Bolt app should pass before it goes to production.
April 21, 2026 · VibeWShield Team
Top 5 Security Flaws Cursor AI Writes in Next.js 15
Vibe-coding is fast but often sacrifices security. The top 5 vulnerabilities found in Next.js apps generated by Cursor AI and how to fix them.
April 21, 2026 · VibeWShield Team
Deep Scan: Full Security Audit with AI-Powered Analysis
Deep Scan runs 65+ scanners, browser runtime analysis, and Claude AI to find vulnerabilities, build attack chains, and generate fix prompts — free with a VibeWShield account.
April 21, 2026 · VibeWShield Team
How Exposed API Keys End Up in Your JavaScript Bundle
API keys bundled into client-side JavaScript are the #1 critical finding in vibe-coded apps. How it happens and how to fix it.
April 21, 2026 · VibeWShield Team
How to Properly Secure Supabase Row-Level Security
Supabase RLS is one of the most commonly misconfigured security features in vibe-coded apps. Here's a practical guide to getting it right.
April 21, 2026 · VibeWShield Team
Why Your Lovable App Is Probably Leaking User Data Right Now
Lovable generates apps fast but creates predictable security gaps. What leaks, why it happens, and how to fix it before attackers find it.
April 21, 2026 · VibeWShield Team
Why NextAuth (Auth.js) Doesn't Guarantee API Security
NextAuth handles authentication but not authorization. AI-generated apps consistently miss API endpoint protection. Here's how to fix missing access control.
April 21, 2026 · VibeWShield Team
React Server Components (RSC): The Hidden Data Leak Risk
Passing data blindly from Next.js Server Components to Client Components is causing severe API data leaks. Learn how to sanitize props.